Tim O'Leary Anti Virus Site
<<Home to Tim O'Leary's Virus Home Page<<
If you find this site usefull, please send me a brief email to tell me or with suggestions to make it easier to use.

Home : Advice2 : Download Links : Getting rid of virus : e-Newsletter subscribe : Virus FAQ : CIH Fix : Happy99 : Trojans & Malware : ZIP drive Click-o-Death :

Information about the happy99, ska Trojan
Happy99 is a Win32 based Trojan program. When this program is executed it will display some fireworks. Apart from the fireworks display this program will do some other activity in the background without the user's permission. In the background this program will create two files SKA.EXE and SKA.DLL. It will alter WSOCK32.DLL to put its code into that file and keep the original file as WSOCK32.SKA. It can not modify the WSOCK32.DLL file if it is in use. In such a case this program will add an entry to the Windows Registry to run SKA.EXE the next time the computer is booted so that it can do these modifications. The size of this trojan file is 10000 bytes.

This virus does not steal passwords, as some sources have reported. It does not contain any payload other than the fireworks display. However, it could overload an e-mail server if a lot of copies get passed around. Also, since it gets passed along a lot, a different virus could attach to HAPPY99.EXE somewhere along the way. This virus does not affect Macs, DOS, or Windows 3.x.

You will not get infected by Happy99 merely by downloading the trojan file. You will have to execute it to get infected.

The modified WSOCK32.DLL has routines to detect the email and newsgroup postings made by the user. It will send a copy of the SKA.EXE file renamed as happy99.exe to every user or newsgroup to whom the user has sent an email. Each recipient will get the email only once and the trojan will not send repeat email to the same user. It will send a separate email retaining the subject of the first email with the file as an attachment. The trojan also maintains the file LISTE.SKA which contains the list of all email addresses and newsgroups to which this file has been sent. The unique function of this trojan is that it can spread on its own.

Happy99 first apeared in January 1999 and it is reported to have affected a lot of users.

Other names of happy99:

This trojan is also known as win32.ska.a, ska, wsock32.ska and ska.exe.

What is happy99? Trojan, Virus or Worm?

This program can only be classified as a Trojan. It is not a virus as it does not replicate itself. It does not attach itself any other file or program. It is also not a worm as even though it can spread on its own, it needs to be executed to get control. A worm is capable of spreading and infecting the target computer on its own. Happy99/Ska is a trojan with the capability to distribute itself.

Removing happy99 from your computer:

You can remove this trojan manually from your computer. To do that, first check the WINDOWS\SYTEM folder for the presence of these files.


If you find these files then you have been attacked by the Happy99 Trojan. To remove this trojan do the following:

1. Delete SKA.EXE, SKA.DLL and WSOCK32.DLL
2. Rename WSOCK32.SKA as WSOCK32.DLL

Make sure that you have WSOCK32.SKA file before deleting WSOCK32.DLL and ensure that you have renamed this file properly. You may have to close your Browser, Email software, etc. to delete and rename the DLL files.


Home : Advice2 : Download Links : Getting rid of virus : e-Newsletter subscribe : Virus FAQ : CIH Fix : Happy99 : Trojans & Malware : ZIP drive Click-o-Death :

Created by Tim O'Leary email: tmoleary@melbpc.org.au
9 Nov 1998 / updated 22/12/1998, 10/1/99, 29/3/99, 10/5/99
URL: http://www.alphalink.com.au/~oleary/Virus/happy99.htm